REST /images/create doesn't work with password, but works using Docker login manually

[aryamsft]

Description

I have a strange problem. I'm able to authenticate against my ACR (Azure Container Registry) with two different passwords that I've setup when I use "docker login -u <username> -p <password> <serverAddress>" and pull an image.

But, when I use the API "/images/create" found at docs.docker.com/engine/api/v1.40/#operation/ImageCreate
it works with one of the password but not the other.

How can both passwords work with pulling docker manually, but one work and the other not with the above API? I'm using the exact same C# code to create the base64url encoded JSON as specified here: docs.docker.com/engine/api/v1.40/#section/Authentication
and calling post with the X-Registry-Auth header.

To make the situation even weirder, I used the /auth API found here: https://docs.docker.com/engine/api/v1.40/#operation/SystemAuth
and both passwords worked (I got a status HTTP 200).

I can repro this consistently.

The error from dockerd for the BAD password is:

Handler for POST /v1.40/images/create returned error: Get https://<ACR_ADDRESS>/v2/<ImageName>/manifests/v1: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.

Describe the results you received:

• Received StatusCode=InternalServerError, reasonPhrase=Internal Server Error, header=Api-Version: 1.40
  Docker-Experimental: false
  Ostype: windows
  Server: Docker/19.03.12 (windows)
  Date: Mon, 19 Oct 2020 19:48:02 GMT
  Connection: close

For the password that does NOT work. For the password that works, got 200 OK.

Describe the results you expected:

• Expect both passwords to work since they both work with docker login. Or both passwords to fail.

Output of docker version:

PS C:\zip> docker version
Client: Docker Engine - Enterprise
 Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.13
 Git commit:        4306744
 Built:             08/05/2020 19:27:53
 OS/Arch:           windows/amd64
 Experimental:      false

Server: Docker Engine - Enterprise
 Engine:
  Version:          19.03.12
  API version:      1.40 (minimum version 1.24)
  Go version:       go1.13.13
  Git commit:       f295753ffd
  Built:            08/05/2020 19:26:41
  OS/Arch:          windows/amd64
  Experimental:     false

Output of docker info:

Client:
 Debug Mode: false
 Plugins:
  cluster: Manage Docker Enterprise clusters (Mirantis Inc., v1.6.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 19.03.12
 Storage Driver: windowsfilter
  Windows: 
 Logging Driver: json-file
 Plugins:
  Volume: local
  Network: ics internal l2bridge l2tunnel nat null overlay private transparent
  Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
 Swarm: inactive
 Default Isolation: process
 Kernel Version: 10.0 19041 (19041.1.amd64fre.vb_release.191206-1406)
 Operating System: Windows Server 2019 Datacenter Version 2004 (OS Build 19041.1)
 OSType: windows
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.62GiB
 Name: WIN-24673IDG8TJ
 ID: KOJ2:R27W:RLNB:R2TE:MVSA:YPJZ:X3Z3:GKVB:FF3Q:TEHV:I5CM:CI6A
 Docker Root Dir: C:\ProgramData\docker
 Debug Mode: true
  File Descriptors: -1
  Goroutines: 26
  System Time: 2020-10-19T16:40:42.3484175-07:00
  EventsListeners: 1
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

The images I'm trying to pull and authenticate is with Azure Container Registry.

[aryamsft]

@cpuguy83 For thoughts

[thaJeztah]

The CLI uses the same API, so my first thought would be that there's some difference in how the C# code encodes the credentials and how the golang binary handles this 🤔. Are you seeing this problem only when authenticating with ACR, or also if you try against Docker Hub?

[aryamsft]

@thaJeztah I tried it with docker hub using my C# program and it seems to have worked (with the bad password). I created a dockerhub account, uploaded the same image, then using a username/password (bad password), was able to login via my C# program.

Here is the code I'm using:

            HttpClient httpClient = new HttpClient();

            var request = new HttpRequestMessage(HttpMethod.Post, "http://localhost:2375/images/create?fromImage=msfttest12345/msfttestrep:v1")
            {
                Version = System.Net.HttpVersion.Version11
            };

            String configJson = "{\"username\":\"msfttest12345\",\"password\":\"<BADPASSWORD>\",\"email\":\"\"}";

            var authConfigBytes = Encoding.UTF8.GetBytes(configJson);
            var authConfigBase64Str = Convert.ToBase64String(authConfigBytes);

            request.Headers.Add("User-Agent", "Something");
            request.Headers.Add("X-Registry-Auth", authConfigBase64Str);

            var tokenSource = new System.Threading.CancellationTokenSource(1000000);

            return await httpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, tokenSource.Token);

I tried as well the "good password", that worked as well.

So this problem is intermittent with ACR, it has consistent behavior with the particular principal (AAD object) with the passwords for that principal, but other exact same principals seem to work.

The code I'm using is the same that is being used in Service Fabric for over 2 years. I'm not sure why this started.

[thaJeztah]

Make sure you use base64url encoding, not base64 (specs are linked from the API docs); not sure if there's an official way in C#, but here's an answer on stackoverflow; https://stackoverflow.com/a/48859004

[aryamsft]

Gave the base64url encoding a try, as specified here: https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.base64urlencoder.encode?view=azure-dotnet

Neither password works using that. Tried this: https://github.com/neosmart/UrlBase64/
Same deal. The only difference in the base64 encoding that I saw was that base64url does not have an '=' character at the end, where as base64 does.

I think using "ToBase64String" is the correct move based on the behavior I'm seeing.

Are there other ways to debug this or any other possible clue on what could explain the above behavior?

[thaJeztah]

So differences between base64url and base64 encoding are outlined in https://tools.ietf.org/html/rfc4648#section-5

An alternative alphabet has been suggested that would use "~" as the
63rd character.  Since the "~" character has special meaning in some
file system environments, the encoding described in this section is
recommended instead.  The remaining unreserved URI character is ".",
but some file system environments do not permit multiple "." in a
filename, thus making the "." character unattractive as well.

The pad character "=" is typically percent-encoded when used in an
URI [9], but if the data length is known implicitly, this can be
avoided by skipping the padding; see section 3.2.

Which means that in the encoded string;

• trailing = (padding symbols) are omitted
• - is used instead of +
• _ is used instead of /

One thing I notice is that your code example doesn't set the serveraddress field, but when doing a quick debug of the docker cli code, and printing the credentials it encodes, that field is set;

diff --git a/cli/command/registry.go b/cli/command/registry.go
index 86fba0598..ea9bbd8b8 100644
--- a/cli/command/registry.go
+++ b/cli/command/registry.go
@@ -52,6 +52,7 @@ func EncodeAuthToBase64(authConfig types.AuthConfig) (string, error) {
        if err != nil {
                return "", err
        }
+       fmt.Println(string(buf))
        return base64.URLEncoding.EncodeToString(buf), nil
 }

Code in the CLI is here; https://github.com/docker/cli/blob/f8696535e9e516a5a404661697fef6f1228ada64/cli/command/registry.go#L50-L56

With that debug line included, running a docker pull (after logging in with docker login) shows;

docker pull hello-world
Using default tag: latest
{"username":"MYUSERNAME","password":"MYPASSWORD","serveraddress":"https://index.docker.io/v1/"}
latest: Pulling from library/hello-world
Digest: sha256:8c5aeeb6a5f3ba4883347d3747a7249f491766ca1caa47e5da5dfcf6b9b717c0
Status: Image is up to date for hello-world:latest
docker.io/library/hello-world:latest

I'd have to check if serveraddress is optional, or required (note that index.docker.io/v1 is the default for Docker Hub (IIRC that domain is for legacy reasons, but we may actually be able to update to hub.docker.com/v2/).

If the field is not optional (or perhaps only optional for the default "docker hub" case), we should update the documentation with that information.

Can you try if it works if you set the serveraddress field? Note that the email field is deprecated and should be safe to omit (that's at least something to include in the docs)

[thaJeztah]

Actually, if some passwords work, but some don't, I don't think the serveraddress should be the issue, and the encoding issue would still be my primary suspect.

[aryamsft]

@thaJeztah Ok, I figured this out. Yes, the encoding was the problem.

"Bad" Password
Base64Encoding:  eyJ1c2VybmFtZSI6ImU4OTE0ZjM2LTEwY2MtNDI4Ni04ZTMxLTBlNzk5NDVmOWY5MyIsInBhc3N3b3JkIjoicy45cnF1R0UuY2kwOTRjM210WDViLVkxfkkyX0hzT25+WSIsImVtYWlsIjoiIn0=

Base64UrlEncoding using Microsoft.IdentityModel.Tokens.Base64UrlEncoder:
eyJ1c2VybmFtZSI6ImU4OTE0ZjM2LTEwY2MtNDI4Ni04ZTMxLTBlNzk5NDVmOWY5MyIsInBhc3N3b3JkIjoicy45cnF1R0UuY2kwOTRjM210WDViLVkxfkkyX0hzT25-WSIsImVtYWlsIjoiIn0

Base64UrlEncoding using the GIT link you gave me AND preserving padding:
eyJ1c2VybmFtZSI6ImU4OTE0ZjM2LTEwY2MtNDI4Ni04ZTMxLTBlNzk5NDVmOWY5MyIsInBhc3N3b3JkIjoicy45cnF1R0UuY2kwOTRjM210WDViLVkxfkkyX0hzT25-WSIsImVtYWlsIjoiIn0=

"Good" Password:
Base64Encoding:  eyJ1c2VybmFtZSI6ImU4OTE0ZjM2LTEwY2MtNDI4Ni04ZTMxLTBlNzk5NDVmOWY5MyIsInBhc3N3b3JkIjoiZDZyflcuNTNuVThsSlhYZHNTRFBWaDMtd1ZrRV9BWmxCNiIsImVtYWlsIjoiIn0

Base64UrlEncoding using Microsoft.IdentityModel.Tokens.Base64UrlEncoder:
eyJ1c2VybmFtZSI6ImU4OTE0ZjM2LTEwY2MtNDI4Ni04ZTMxLTBlNzk5NDVmOWY5MyIsInBhc3N3b3JkIjoiZDZyflcuNTNuVThsSlhYZHNTRFBWaDMtd1ZrRV9BWmxCNiIsImVtYWlsIjoiIn0

Base64UrlEncoding using the GIT link you gave me AND preserving padding:
eyJ1c2VybmFtZSI6ImU4OTE0ZjM2LTEwY2MtNDI4Ni04ZTMxLTBlNzk5NDVmOWY5MyIsInBhc3N3b3JkIjoiZDZyflcuNTNuVThsSlhYZHNTRFBWaDMtd1ZrRV9BWmxCNiIsImVtYWlsIjoiIn0=

So it seems the base64url encoding, which converts '+' to '-' IS correct, and a bug in Service Fabric which we should change. BUT, we need to preserve the '=' character, which the Microsoft.IdentityModel.Tokens API's do NOT do.
Microsoft.IdentityModel.Tokens API Link

I think we can close this issue. BUT, is not using the '=' an error on Azure Container Registry meaning they should accept encoding without that? Or is the error in the Microsoft.IdentityModel.Tokens API where they SHOULD include the '=' regardless?
Or does the Docker API Implementation need to change in some way? Seems like the CLI does the right thing...perhaps the Docker REST API's should be updated to mention that padding with '=' is the way to go?

FYI, the serveraddress field doesn't seem to matter :)

[aryamsft]

@thaJeztah

FYI, this API worked with the bad encoding: https://docs.docker.com/engine/api/v1.40/#operation/SystemAuth

That shouldn't have worked, correct?

[Tratcher]

The padding is officially optional when using base64urlencoding, and it's better to exclude it in many context to avoid additional encodings.

https://tools.ietf.org/html/rfc4648#section-5
The pad character "=" is typically percent-encoded when used in an
URI [9], but if the data length is known implicitly, this can be
avoided by skipping the padding; see section 3.2.

So the issue is that the decoder used by ACR should allow both padded and unpadded formats.

[aryamsft]

@thaJeztah I think it would make sense if you added to the documentation Docker REST AUTH API Doc when using base64url encoding, registries expect the padding '=' character as that is what docker code uses by default and ACR (and I assume docker registries as well) expect the '=' padding character to be there.

As far as ACR is concerned, I reached out to them and there is there response:

The dockerd accepts base64url with padding only (source code available at image_routes.go line 71). Therefore, any dockerd client should follow the Docker spec instead of the RFC spec.

Since dockerd runs on the client host, and is considered as a registry client (i.e. client code to ACR or any registries), and is maintained by Docker Inc., it is out of the scope of Azure Container Registry (ACR) and ACR servers.

Essentially they are saying they are doing what docker does.